Обзор источников сценариеватак для оценки эффективностисистем защиты и мониторингапромышленных сетей

Антон Шипулин, CISSP, CEH, CSSA

Проблема• Заказчикам нужны критерии для выбора

эффективных систем кибербезопасности АСУ ТП

• Заказчикам нужны критерии для оценки

эффективности возможности существующих

систем кибербезопасности АСУ ТП и SOC

целиком

• SOCам и вендорам систем кибербезопасности

АСУ ТП нужны критерии для оценки

эффективности своих возможностей https://ics.kaspersky.com/media/ics-conference-2018/Vladimir-Karantaev-Managed-detection-and-response-MDR-delivery-models-for-industrial-control-systems-ICS-En.pdf

NSS Labs. Пока нет теста для решений ICS Security

https://www.nsslabs.com/tested-technologies/

Источники сценариев/техник атак

Techniques frameworks

• MITRE ATT&CK Enterprise• MITRE ATT&CK ICS (in progress)• CAT/CAFFEINE (in progress)

Промышленные полигоны/учения• iTrust CISS, Singapore• Kaspersky Industrial CTF• The Standoff• S4 ICS Detection Challenge• Locked Shields

Реальные инциденты• Industroyer• Stuxnet• Triton

Research papers

• arXiv.org• GitHub/GitLab• IEEE Xplore Library • ScienceDirect• ResearchGate• ScienceOpen• Google Scholar• CREDC

Safety Studies / CCE

• PHA/HAZOP• Accidents reports• Safety/Hazard/Failure analysis

Practical Guides

• NISTIR 8219. BAD• …

Intrusion Datasets/PCAPs

Intrusion Datasets

https://arxiv.org/abs/1903.02460v2

https://lukatsky.blogspot.com/2019/02/blog-post_26.html

MITRE ATT&CK. Что это?

ATT&CK – база знаний и классификация техникатакующих на различных этапах жизненного цикла

https://attack.mitre.org

https://public.tableau.com/profile/cyb3rpanda#!/vizhome/MITREATTCKMatrixforEnterpriseV2/ATTCK

Endpoint Data Network Data

MITRE ATT&CK. Что проверять?

MITRE ATT&CK. Как проверять

BAS tools моделируют вредоносную активность (включая техники которые обходили бы текущуюзащиту) позволяя SOCам определять текущее состояние системы защиты

https://www.gartner.com/en/documents/3875421https://blogs.gartner.com/augusto-barros/2018/04/17/threat-simulation-open-source-projects/

https://github.com/redhuntlabs/RedHunt-OS/

Commercial

• AttackIQ• Circumventive

• Cymulate• Pcysys• Picus• SafeBreach• ThreatCare• Verodin

• XM Cyber• SCYTHE

Open Source

• Red Team Automation (RTA)• Infection Monkey

• Network Flight Simulator• Metta• Atomic Red Team• MITRE CALDERA• APT Simulator

https://attackevals.mitre.org

Промышленные полигоны/учения: Kaspersky Industrial CTF

https://ctf.kaspersky.com

Промышленные полигоны/учения: SUTD, Сингапур

Full details on the testbedhttps://itrust.sutd.edu.sg/testbeds/secure-water-treatment-swat/

6 stages: ►P1: RAW water Supply and storage►P2: Pre-treatment►P3: Ultrafiltration and backwash►P4: De-Chlorination System►P5: Reverse Osmosis (RO)►P6: RO Permeate Transfer, UF Backwash and Cleaning

Промышленные полигоны/учения: SUTD, Сингапур, 2017Cybercriminal Attacker Model - Control of the PLC through the Bridged Man-in-the-Middle (MiTM) at Level 0- Control of the chemical dosing system through a Python script (pycomm)- Control of the Historian through the Aircrack WiFi- Control of the pressure through the Server Message Block (SMB)- Control of the water level in the tank through the Metasploit VNC Scanner- Control of the pump through a rogue router- Control of the pump through the FactoryTalk and password vulnerability- Control of the pressure pump through Python script (pycomm)- Control of the pump through the compromised HMI- Overwriting data stored at Historian- Control of the Historian through MiTM using ARP

Insider Attacker Model- Control of the Motorised Valve through Manual Intervention- Control of the RIO/Display through manual configuration on the sensor- Control of the water pump P101 through the Python script (pycomm)- Control of the water pump P101 through manual operation of the HMI- Control of the pressure pump through Python script (pycomm)- Control of the water tank level LIT101 through Python script (pycomm)- Control of chemical dosing through modified PLC Logic- Control of the RIO through disconnecting Analogue Input/Output pin- Control of the amount of chemical dosing through Python script- Control of the PLC through the modification of PLC logic in Studio 5000- Control of the motorised valve through modification of PLC logic in Studio 5000- Control of the motorised valve MV201 through the modification of PLC logic- Control of the water tank level LIT301 through adjusting alarm levels- Control of the chemical dosing pump P205 through manual operation of the dosing meter- Control of the HMI/SCADA through simulation control- Control of the PLC through disconnected network cables

Details: https://goo.gl/y1Pxre

Промышленные полигоны/учения: SUTD, Сингапур, 2019

2:23 - Scanning both Zycron and SWaT network concurrently.2:30 - Discovered the VNC service.2:38 - Attack: Attempting to do MITM attack on PLC12:50 - Attack: Attempting to do Layer 0 MITM attack on LIT101.2:23 - Scanning both Zycron and SWaT network concurrently.2:30 - Discovered the VNC service.2:38 - Attack: Attempting to do MITM attack on PLC1 Attempt to do bridge in primary plc to RIO2:50 - Attack: Attempting to do Layer 0 MITM attack on LIT101. Spoof water level to 3902:54 - Attack Successful! 2:59 - Attack: Download modified P2 PLC code.3:01 - Attack Unsuccessful! 3:18 - Attack: Downloading modified P2 PLC code. Attack Unsuccessful!3:19 - Attack: Trying to breach the firewall.3:22 - Attack: Overwriting PLC code. Attack Unsuccessful!3:38 - Attack: Attempting to set LIT101 to 300. Attack Unsuccessful!4:16 - Spoofing attack LIT101 at HMI Successful!4:45 - Download of PLC code failed!5:07 - Launch on DPIT pressure successful!5:18 - Attempt to change plant to manual mode.5:19 - Attempt successful!5:20 - Attempt to stop plant process.5:23 - Attempt to stop/start plant successful!5:28 - Attack : Attempt to do DoS attack on historian for all values. Attack unsuccessful!5:36 - Attack : Attempt to do DoS attack on historian for all values. Attack unsuccessful!6:18 - Attack: Attempt to do DoS attack on historian for all values. Attack unsuccessful!6:20 - Eternal Blue attack: Time Out!

https://itrust.sutd.edu.sg/ciss-2019/

Промышленные полигоны/учения: SUTD, СингапурOverview of dataset requests by country (left) and year (right)

• Secure Water Treatment (SWaT)• SWaT Security Showdown (S317)• Water Distribution (WADI)• BATtle of Attack Detection Algorithms (BATADAL)• Electric Power and Intelligent Control (EPIC)• Blaq_0

https://itrust.sutd.edu.sg/research/dataset/

Visit by Kaspersky LabИсследователи из России• Institute of Control Sciences• Moscow Institute of Physics and Technology• National Research University• Saint Petersburg State University• Peter the Great St. Petersburg Polytechnic University• South Ural State University• Innopolis University• Kaspersky Lab

Промышленные полигоны/учения: S4x19 ICS Detection Challenge

• WMI Lateral Movement

• Reconnaissance / Network Scan

• Reconnaissance / Reading Project from PLC / Modbus

• Reconnaissance / Modbus Scan

• Transfer Malicious Firmware to Rockwell Automation PLC

• Modbus Write Attempt from an Internet address

• “Stuxnet” Malware Network Activity

• “Havex” Malware Network Activity

• “Greyenergy” Malware Network Activity

https://www.youtube.com/watch?v=vSd8hoRqnF4&list=PLPmbqO785Hlt3yFvW-EZhvRq53EcCjmZchttps://www.youtube.com/watch?v=A2tQo4t4ibo

Реальные инциденты, Industroyer

The 2016 Ukraine attack occurred at the transmission-level with an attack against a regional SCADA system generally focused on a single 330 kV-to-110 kV-to-10 kV substation, resulting in a distribution-level outage.

KICS 60870-5-104 Protocol Events

https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf

Реальные инциденты, TritonEndpoint activities at different levels and stagesPowershell, PythonSSH clients (Putty/Plinks)Netcat/CryptocatMmikatz, PsExecAdExplorer, ShareEnum, PsGetSidNmap, iPerfTrilog.exe

Network activities at different levels and stagesDNSSSH RDPRPC/SMB (PsExec)HTTP (Webshell)TCP/UDP (Nmap, iPerf)VPN Tristation (UDP)

PLC

Fieldbus

Control Network

SCADA/DCS Network

Plant DMZ Network

Office Network

PLC

SCADASCADA

SCADA

SCADA

SIS SIS

Safety Instrumented System

SIS EWSSIS

Internet

Attacker

• Trilog.exe• Tristation (UDP)

Реальные инциденты, Triton

https://github.com/MDudek-ICS/TRISIS-TRITON-HATMAN

Practical Guides. NISTIR. Behavioral Anomaly Detection

• plaintext passwords• user authentication failures• new network devices• abnormal network traffic between devices• internet connectivity• data exfiltration• unauthorized software installations• PLC firmware modifications• unauthorized PLC logic modifications• file transfers between devices• abnormal ICS protocol communications• malware• denial of service (DoS)• abnormal manufacturing system operations• port scans/probes• environmental changes

https://csrc.nist.gov/publications/detail/nistir/8219/draft

https://detect-respond.blogspot.com/2013/03/the-pyramid-of-pain.html

The Pyramid of PainСценарии Атак

и детекты для них

Частные атрибуты

Эффективный Threat Intelligence

Источники сценариев/техник атак

Techniques frameworks

• MITRE ATT&CK Enterprise• MITRE ATT&CK ICS (in progress)• CAT/CAFFEINE (in progress)

Промышленные полигоны/учения• iTrust CISS, Singapore• Kaspersky Industrial CTF• The Standoff• S4 ICS Detection Challenge• Locked Shields

Реальные инциденты• Industroyer• Stuxnet• Triton

Research papers

• arXiv.org• GitHub/GitLab• IEEE Xplore Library • ScienceDirect• ResearchGate• ScienceOpen• Google Scholar• CREDC

Safety Studies / CCE

• PHA/HAZOP• Accidents reports• Safety/Hazard/Failure analysis

Practical Guides

• NISTIR 8219. BAD• …

Intrusion Datasets/PCAPs

Спасибо!

ics.kaspersky.com

Kaspersky HQ39A/3 Leningradskoe Shosse, MoscowТ: +7 (495) 797 8700 #1746

Anton.Shipulin@kaspersky.com @shipulin_anton

Антон ШипулинCISSP, CEH, CSSAМенеджер по развитию решений по безопасности критической инфраструктуры